QUESTION 21
Which Sentinel objects can be imported into Sentinel Control Center interface? (Choose 2)
A. Users
B. Global filters
C. Active views
D. Solution packs
E. iTRAC Workflow
F. Correlation rules
Answer: CF
Explanation:
C: After creating an Activity, you can modify, import or export it.
To import an Activity:
1 Click iTRAC tab.
2 In the Navigator, click iTRAC Administration > Activity Manager.
3 Click Import/Export Activity icon. Import/Export Wizard window displays.
4 Select Import Activity and click Explore.
5 Navigate to your import file. Click Import.
6 Click Next. You will see a list of activities that are imported.
7 Click Next and click Finish.
F: To Import a Correlation Rule:
1 Open the Correlation Rules Manager window and click Import/Export Correlation Rule icon.
Etc.
QUESTION 22
The Sentinel Correlation Engine Architecture is made up which components? (Choose 2)
A. DAS Query
B. Active views
C. Input manager
D. Action Manager
E. Solution Pack Controls
Answer: AB
Explanation:
Note:
* Sentinel Server Architecture
* A Sentinel Server is made up of the following components:
/ Communication Server
/ Correlation Engine
/ DAS
/ Collector Manager
Any combination of the above components can be installed in a particular Sentinel Server.
* DAS_Query Performs general Sentinel Service operations including Login and Historical Query.
QUESTION 23
Which actions are applicable as an iTRAC step? (Choose 4)
A. Mail Step
B. Logic Step
C. Manual Step
D. DropList Step
E. Decision step
F. Command step
G. UpdateList Step
H. Batch process Step
Answer: ACEF
Explanation:
Steps are the basic components of a Template. Every Template must have a Start Step and an End
Step. The Start Step exists by default. You can also add the following types of Steps to a Template:
Mail Step
Manual Step
Decision Step
Command Step
Activity Step
End Step
QUESTION 24
What operators can only be used when using the Custom/Freeform option in correlation wizard? (Choose 3)
A. Flow
B. Gate()
C. Filter()
D. IsNull()
E. InList()
F. Window()
G. Sequence()
H. Match subnet
Answer: DEH
Explanation:
* Freeform rules are the only way to include certain functionality in a correlation rule. Freeform rules give you the ability to do the following:
/ Nest operations using parentheses (to specify order of operations) / (E) Use the inlist operator to refer to a dynamic list / (D)Use the isnull operator to refer to unpopulated fields / Use the w. prefix for a field name in the window operation to compare an incoming event’s value to a set of previous events
* The match subnet operator can be used to build a condition where the value of a metatag maches a user-specified subnet specified in the rule in CIDR notation. This operator is used only for IP address fields.
Example:
filter(e.DestinationIP match subnet (10.0.0.1/22))
Note:
* The Sentinel Correlation Engine runs rules that are written in the Correlation RuleLg language.
Rules are created in the Sentinel Control Center. Users can create rules using a wizard for the
following rule types:
/ Simple Rule
/ Composite Rule
/ Aggregate Rule
/ (not G) Sequence Rule
These rules are converted to the Correlation RuleLg language when the rules are saved. The same rule types, plus even more complex rules, can be created in the Sentinel Control Center using the Custom/Freeform option. To use the Custom/Freeform option, the user must have a good understanding of the Correlation RuleLg language.
QUESTION 25
What does a red line indicate in the tabular part of an active view?
A. A severe event occurred
B. A collector error occurred
C. Data was dropped by Sentinel
D. More events were received than could be displayed
Answer: D
QUESTION 26
Which statement is true regarding roles used by ITRAC?
A. Users can be made a member of only one role
B. Users can be members of multiple roles at any one time
C. Users can be a member of one member role and many secondary roles
D. When a user is created, a new role is created for that user and the user may then be added to additional role
Answer: B
QUESTION 27
You create and deploy a correlation rule with a Create incident action that also indicates an iTRAC workflow. After having the rule on for an hour, you find that the system has created several hundred workflow processes. What steps can you take to address this problem? (Choose 2)
A. Change the iTRAC settings in the configuration xml file
B. Configure the Data retention field in the Sentinel Data Manager
C. Set the maximum incidents setting to 10 in the correlation action definition
D. Adjust the definition of the rule so the threshold for triggering an event is higher
E. Change the Update Criteria to do not perform actionsevery time this rule fires for the next 1 hour
Answer: AC
QUESTION 28
Which Incident field provides a GUI option to configure the items in the drop-down list?
A. State
B. Priority
C. Severity
D. Category
E. Originator
Answer: B
QUESTION 29
When using the Correlation rule Wizard, which option would you select to create the RuleLG filter (e.rv32=*FW* and e.Severity = 3)
A. Simple
B. Sequence
C. Aggregate
D. Composite
Answer: D
QUESTION 30
What happens when a user accepts a worklist item assigned to an iTRAC role?
A. The administrator receives an email notification
B. The user’s profile information is attached to the incident
C. An assignment is made in the USERS table of the database
D. The worklist item is removed from the worklist for the other users in that role
Answer: D
If you want to pass NOVELL 050-728 successfully, donot missing to read latest lead2pass NOVELL 050-728 exam questions.
If you can master all lead2pass questions you will able to pass 100% guaranteed.
http://www.lead2pass.com/050-728.html
